From a2e66ece4d6b46ba2195cef76913c42177e6b4a2 Mon Sep 17 00:00:00 2001

From: Peter Jones <pjones@redhat.com>

Date: Thu, 2 Oct 2014 01:01:17 -0400

Subject: [PATCH 69/74] Another testplan error.

Signed-off-by: Peter Jones <pjones@redhat.com>

---

 testplan.txt | 24 +++++++++++-------------

 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/testplan.txt b/testplan.txt

index ab88781..0b0569e 100644

--- a/testplan.txt

+++ b/testplan.txt

@@ -47,27 +47,25 @@ How to test a new shim build for RHEL/fedora:

     fs0:\EFI\test\lockdown.efi

 17) enable secure boot verification

 18) verify it can't run other binaries:

-    fs0:\EFI\redhat\grubx64.efi

+    fs0:\EFI\test\grubx64.efi

     result should be an error, probably similar to:

     "fs0:\...\grubx64.efi is not recognized as an internal or external command"

-19) copy test.efi to grubx64.efi:

-    cp \EFI\test\test.efi \EFI\test\grubx64.efi

-20) in the EFI shell, run fs0:\EFI\test\shim.efi

-21) you should see MokManager.  Enroll the certificate you added in #13, and

+19) in the EFI shell, run fs0:\EFI\test\shim.efi

+20) you should see MokManager.  Enroll the certificate you added in #13, and

     the system will reboot.

-22) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi

+21) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi

     result: "This is a test application that should be completely safe."

   If you get the expected result, shim can run things signed by its internal

   key ring.  Check a box someplace that says it can do that.

-23) from the EFI shell, copy grub to grubx64.efi:

+22) from the EFI shell, copy grub to grubx64.efi:

     cp \EFI\test\grub.efi \EFI\test\grubx64.efi

-24) in the EFI shell, run fs0:\EFI\test\shim.efi

+23) in the EFI shell, run fs0:\EFI\test\shim.efi

     result: this should start grub, which will let you boot a kernel

   If grub starts, it means shim can run things signed by a key in the system's

   db.  Check a box someplace that says it can do that.

   If the kernel boots, it means shim can run things from Mok.  Check a box

   someplace that says it can do that.

-25) remove all boot entries and the BootOrder variable:

+24) remove all boot entries and the BootOrder variable:

     [root@uefi ~]# cd /sys/firmware/efi/efivars/

     [root@uefi efivars]# rm -vf Boot[0123456789]* BootOrder-*

     removed ‘Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c’

@@ -76,14 +74,14 @@ How to test a new shim build for RHEL/fedora:

     removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’

     removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’

     [root@uefi efivars]# 

-27) reboot

-28) the system should run \EFI\BOOT\BOOTX64.EFI .  If it doesn't, you may just

+25) reboot

+26) the system should run \EFI\BOOT\BOOTX64.EFI .  If it doesn't, you may just

     have an old machine.  In that case, go to the EFI shell and run:

     fs0:\EFI\BOOT\BOOTX64.EFI

   If this works, you should see a bit of output very quickly and then the same

   thing as #24.  This means shim recognized it was in \EFI\BOOT and ran

   fallback.efi, which worked.

-29) copy the unsigned grub into place and reboot:

+27) copy the unsigned grub into place and reboot:

   cp /boot/efi/EFI/test/grubx64-unsigned.efi /boot/efi/EFI/test/grubx64.efi

-30) reboot again.

+28) reboot again.

     result: shim should refuse to load grub.

-- 

1.9.3